cba8c7a97ad1bacaac00578d4d5d422b82064ff9b3b9b6c0e67083e6948ef82a

Analysis

max time kernel
144s
max time network
126s
platform
windows7_x64
resource
win7-20240508-en
resource tags

arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
submitted
16-06-2024 12:10

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-06-16_a73f9620b650cad8be84fea4b2ce1565_goldeneye.exe
Size

168KB
MD5

a73f9620b650cad8be84fea4b2ce1565
SHA1

02a108e425dda8043a4af1fcc0686c3abcbe6061
SHA256

cba8c7a97ad1bacaac00578d4d5d422b82064ff9b3b9b6c0e67083e6948ef82a
SHA512

d0b676caae9a7edb4b85273a1c8937706fcfb317b810b317cbf4c7cb0ca26c0771513a289a6dbd13658653edf43f8e0364e46cb110682948771ed201c9318560
SSDEEP

1536:1EGh0odlq5IRVhNJ5Qef7BudMeNzVg3Ve+rrS2:1EGh0odlqOPOe2MUVg3Ve+rX

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 11 IoCs

resource	yara_rule
behavioral1/files/0x000f000000012028-5.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x00360000000144c0-12.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0010000000012028-19.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0036000000014531-26.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0004000000004ed7-33.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0011000000012028-40.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0005000000004ed7-47.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0012000000012028-54.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0006000000004ed7-61.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0013000000012028-68.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral1/files/0x0007000000004ed7-75.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 22 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C578459C-69D4-4c3b-A92C-C0B41A81BA2B}	{1615241C-9529-4745-A5A3-9949C96F036D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8AEAD561-1864-4992-A7DB-93061214BB30}\stubpath = "C:\\Windows\\{8AEAD561-1864-4992-A7DB-93061214BB30}.exe"	{84E81E8F-5CDF-4d23-9DC1-B734C9CDE2AB}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7836ACA0-CDA5-42f1-A8FA-E3A8F6B034D7}\stubpath = "C:\\Windows\\{7836ACA0-CDA5-42f1-A8FA-E3A8F6B034D7}.exe"	{8AEAD561-1864-4992-A7DB-93061214BB30}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{1615241C-9529-4745-A5A3-9949C96F036D}	{7836ACA0-CDA5-42f1-A8FA-E3A8F6B034D7}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{1615241C-9529-4745-A5A3-9949C96F036D}\stubpath = "C:\\Windows\\{1615241C-9529-4745-A5A3-9949C96F036D}.exe"	{7836ACA0-CDA5-42f1-A8FA-E3A8F6B034D7}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2FA38BD1-53BC-4a89-9282-A36B0B697A7E}\stubpath = "C:\\Windows\\{2FA38BD1-53BC-4a89-9282-A36B0B697A7E}.exe"	{C578459C-69D4-4c3b-A92C-C0B41A81BA2B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{27E8B1BA-071A-41b6-A9B8-2402DA9E3E58}	{557BA13D-9E08-426a-B064-86D3DC6F7EEE}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3B84C5A0-A3B6-4f96-956E-CFB7227CCBDC}\stubpath = "C:\\Windows\\{3B84C5A0-A3B6-4f96-956E-CFB7227CCBDC}.exe"	2024-06-16_a73f9620b650cad8be84fea4b2ce1565_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8AEAD561-1864-4992-A7DB-93061214BB30}	{84E81E8F-5CDF-4d23-9DC1-B734C9CDE2AB}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7836ACA0-CDA5-42f1-A8FA-E3A8F6B034D7}	{8AEAD561-1864-4992-A7DB-93061214BB30}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{557BA13D-9E08-426a-B064-86D3DC6F7EEE}	{33A5FF9B-0F0D-43ac-9DED-39A9C14368CD}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{27E8B1BA-071A-41b6-A9B8-2402DA9E3E58}\stubpath = "C:\\Windows\\{27E8B1BA-071A-41b6-A9B8-2402DA9E3E58}.exe"	{557BA13D-9E08-426a-B064-86D3DC6F7EEE}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{AE35A883-BEE6-40d4-94CE-A5AEE35AAC12}	{27E8B1BA-071A-41b6-A9B8-2402DA9E3E58}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{84E81E8F-5CDF-4d23-9DC1-B734C9CDE2AB}	{3B84C5A0-A3B6-4f96-956E-CFB7227CCBDC}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C578459C-69D4-4c3b-A92C-C0B41A81BA2B}\stubpath = "C:\\Windows\\{C578459C-69D4-4c3b-A92C-C0B41A81BA2B}.exe"	{1615241C-9529-4745-A5A3-9949C96F036D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2FA38BD1-53BC-4a89-9282-A36B0B697A7E}	{C578459C-69D4-4c3b-A92C-C0B41A81BA2B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{33A5FF9B-0F0D-43ac-9DED-39A9C14368CD}\stubpath = "C:\\Windows\\{33A5FF9B-0F0D-43ac-9DED-39A9C14368CD}.exe"	{2FA38BD1-53BC-4a89-9282-A36B0B697A7E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{557BA13D-9E08-426a-B064-86D3DC6F7EEE}\stubpath = "C:\\Windows\\{557BA13D-9E08-426a-B064-86D3DC6F7EEE}.exe"	{33A5FF9B-0F0D-43ac-9DED-39A9C14368CD}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{AE35A883-BEE6-40d4-94CE-A5AEE35AAC12}\stubpath = "C:\\Windows\\{AE35A883-BEE6-40d4-94CE-A5AEE35AAC12}.exe"	{27E8B1BA-071A-41b6-A9B8-2402DA9E3E58}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3B84C5A0-A3B6-4f96-956E-CFB7227CCBDC}	2024-06-16_a73f9620b650cad8be84fea4b2ce1565_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{84E81E8F-5CDF-4d23-9DC1-B734C9CDE2AB}\stubpath = "C:\\Windows\\{84E81E8F-5CDF-4d23-9DC1-B734C9CDE2AB}.exe"	{3B84C5A0-A3B6-4f96-956E-CFB7227CCBDC}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{33A5FF9B-0F0D-43ac-9DED-39A9C14368CD}	{2FA38BD1-53BC-4a89-9282-A36B0B697A7E}.exe

Deletes itself 1 IoCs

pid	Process
2948	cmd.exe

Executes dropped EXE 11 IoCs

pid	Process
2856	{3B84C5A0-A3B6-4f96-956E-CFB7227CCBDC}.exe
2116	{84E81E8F-5CDF-4d23-9DC1-B734C9CDE2AB}.exe
2776	{8AEAD561-1864-4992-A7DB-93061214BB30}.exe
2144	{7836ACA0-CDA5-42f1-A8FA-E3A8F6B034D7}.exe
1916	{1615241C-9529-4745-A5A3-9949C96F036D}.exe
1896	{C578459C-69D4-4c3b-A92C-C0B41A81BA2B}.exe
2428	{2FA38BD1-53BC-4a89-9282-A36B0B697A7E}.exe
1960	{33A5FF9B-0F0D-43ac-9DED-39A9C14368CD}.exe
2932	{557BA13D-9E08-426a-B064-86D3DC6F7EEE}.exe
2492	{27E8B1BA-071A-41b6-A9B8-2402DA9E3E58}.exe
692	{AE35A883-BEE6-40d4-94CE-A5AEE35AAC12}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{2FA38BD1-53BC-4a89-9282-A36B0B697A7E}.exe	{C578459C-69D4-4c3b-A92C-C0B41A81BA2B}.exe
File created	C:\Windows\{33A5FF9B-0F0D-43ac-9DED-39A9C14368CD}.exe	{2FA38BD1-53BC-4a89-9282-A36B0B697A7E}.exe
File created	C:\Windows\{557BA13D-9E08-426a-B064-86D3DC6F7EEE}.exe	{33A5FF9B-0F0D-43ac-9DED-39A9C14368CD}.exe
File created	C:\Windows\{27E8B1BA-071A-41b6-A9B8-2402DA9E3E58}.exe	{557BA13D-9E08-426a-B064-86D3DC6F7EEE}.exe
File created	C:\Windows\{AE35A883-BEE6-40d4-94CE-A5AEE35AAC12}.exe	{27E8B1BA-071A-41b6-A9B8-2402DA9E3E58}.exe
File created	C:\Windows\{8AEAD561-1864-4992-A7DB-93061214BB30}.exe	{84E81E8F-5CDF-4d23-9DC1-B734C9CDE2AB}.exe
File created	C:\Windows\{1615241C-9529-4745-A5A3-9949C96F036D}.exe	{7836ACA0-CDA5-42f1-A8FA-E3A8F6B034D7}.exe
File created	C:\Windows\{C578459C-69D4-4c3b-A92C-C0B41A81BA2B}.exe	{1615241C-9529-4745-A5A3-9949C96F036D}.exe
File created	C:\Windows\{3B84C5A0-A3B6-4f96-956E-CFB7227CCBDC}.exe	2024-06-16_a73f9620b650cad8be84fea4b2ce1565_goldeneye.exe
File created	C:\Windows\{84E81E8F-5CDF-4d23-9DC1-B734C9CDE2AB}.exe	{3B84C5A0-A3B6-4f96-956E-CFB7227CCBDC}.exe
File created	C:\Windows\{7836ACA0-CDA5-42f1-A8FA-E3A8F6B034D7}.exe	{8AEAD561-1864-4992-A7DB-93061214BB30}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2096	2024-06-16_a73f9620b650cad8be84fea4b2ce1565_goldeneye.exe
Token: SeIncBasePriorityPrivilege	2856	{3B84C5A0-A3B6-4f96-956E-CFB7227CCBDC}.exe
Token: SeIncBasePriorityPrivilege	2116	{84E81E8F-5CDF-4d23-9DC1-B734C9CDE2AB}.exe
Token: SeIncBasePriorityPrivilege	2776	{8AEAD561-1864-4992-A7DB-93061214BB30}.exe
Token: SeIncBasePriorityPrivilege	2144	{7836ACA0-CDA5-42f1-A8FA-E3A8F6B034D7}.exe
Token: SeIncBasePriorityPrivilege	1916	{1615241C-9529-4745-A5A3-9949C96F036D}.exe
Token: SeIncBasePriorityPrivilege	1896	{C578459C-69D4-4c3b-A92C-C0B41A81BA2B}.exe
Token: SeIncBasePriorityPrivilege	2428	{2FA38BD1-53BC-4a89-9282-A36B0B697A7E}.exe
Token: SeIncBasePriorityPrivilege	1960	{33A5FF9B-0F0D-43ac-9DED-39A9C14368CD}.exe
Token: SeIncBasePriorityPrivilege	2932	{557BA13D-9E08-426a-B064-86D3DC6F7EEE}.exe
Token: SeIncBasePriorityPrivilege	2492	{27E8B1BA-071A-41b6-A9B8-2402DA9E3E58}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2096 wrote to memory of 2856	2096	2024-06-16_a73f9620b650cad8be84fea4b2ce1565_goldeneye.exe	29
PID 2096 wrote to memory of 2856	2096	2024-06-16_a73f9620b650cad8be84fea4b2ce1565_goldeneye.exe	29
PID 2096 wrote to memory of 2856	2096	2024-06-16_a73f9620b650cad8be84fea4b2ce1565_goldeneye.exe	29
PID 2096 wrote to memory of 2856	2096	2024-06-16_a73f9620b650cad8be84fea4b2ce1565_goldeneye.exe	29
PID 2096 wrote to memory of 2948	2096	2024-06-16_a73f9620b650cad8be84fea4b2ce1565_goldeneye.exe	30
PID 2096 wrote to memory of 2948	2096	2024-06-16_a73f9620b650cad8be84fea4b2ce1565_goldeneye.exe	30
PID 2096 wrote to memory of 2948	2096	2024-06-16_a73f9620b650cad8be84fea4b2ce1565_goldeneye.exe	30
PID 2096 wrote to memory of 2948	2096	2024-06-16_a73f9620b650cad8be84fea4b2ce1565_goldeneye.exe	30
PID 2856 wrote to memory of 2116	2856	{3B84C5A0-A3B6-4f96-956E-CFB7227CCBDC}.exe	31
PID 2856 wrote to memory of 2116	2856	{3B84C5A0-A3B6-4f96-956E-CFB7227CCBDC}.exe	31
PID 2856 wrote to memory of 2116	2856	{3B84C5A0-A3B6-4f96-956E-CFB7227CCBDC}.exe	31
PID 2856 wrote to memory of 2116	2856	{3B84C5A0-A3B6-4f96-956E-CFB7227CCBDC}.exe	31
PID 2856 wrote to memory of 2608	2856	{3B84C5A0-A3B6-4f96-956E-CFB7227CCBDC}.exe	32
PID 2856 wrote to memory of 2608	2856	{3B84C5A0-A3B6-4f96-956E-CFB7227CCBDC}.exe	32
PID 2856 wrote to memory of 2608	2856	{3B84C5A0-A3B6-4f96-956E-CFB7227CCBDC}.exe	32
PID 2856 wrote to memory of 2608	2856	{3B84C5A0-A3B6-4f96-956E-CFB7227CCBDC}.exe	32
PID 2116 wrote to memory of 2776	2116	{84E81E8F-5CDF-4d23-9DC1-B734C9CDE2AB}.exe	33
PID 2116 wrote to memory of 2776	2116	{84E81E8F-5CDF-4d23-9DC1-B734C9CDE2AB}.exe	33
PID 2116 wrote to memory of 2776	2116	{84E81E8F-5CDF-4d23-9DC1-B734C9CDE2AB}.exe	33
PID 2116 wrote to memory of 2776	2116	{84E81E8F-5CDF-4d23-9DC1-B734C9CDE2AB}.exe	33
PID 2116 wrote to memory of 2852	2116	{84E81E8F-5CDF-4d23-9DC1-B734C9CDE2AB}.exe	34
PID 2116 wrote to memory of 2852	2116	{84E81E8F-5CDF-4d23-9DC1-B734C9CDE2AB}.exe	34
PID 2116 wrote to memory of 2852	2116	{84E81E8F-5CDF-4d23-9DC1-B734C9CDE2AB}.exe	34
PID 2116 wrote to memory of 2852	2116	{84E81E8F-5CDF-4d23-9DC1-B734C9CDE2AB}.exe	34
PID 2776 wrote to memory of 2144	2776	{8AEAD561-1864-4992-A7DB-93061214BB30}.exe	37
PID 2776 wrote to memory of 2144	2776	{8AEAD561-1864-4992-A7DB-93061214BB30}.exe	37
PID 2776 wrote to memory of 2144	2776	{8AEAD561-1864-4992-A7DB-93061214BB30}.exe	37
PID 2776 wrote to memory of 2144	2776	{8AEAD561-1864-4992-A7DB-93061214BB30}.exe	37
PID 2776 wrote to memory of 2224	2776	{8AEAD561-1864-4992-A7DB-93061214BB30}.exe	38
PID 2776 wrote to memory of 2224	2776	{8AEAD561-1864-4992-A7DB-93061214BB30}.exe	38
PID 2776 wrote to memory of 2224	2776	{8AEAD561-1864-4992-A7DB-93061214BB30}.exe	38
PID 2776 wrote to memory of 2224	2776	{8AEAD561-1864-4992-A7DB-93061214BB30}.exe	38
PID 2144 wrote to memory of 1916	2144	{7836ACA0-CDA5-42f1-A8FA-E3A8F6B034D7}.exe	39
PID 2144 wrote to memory of 1916	2144	{7836ACA0-CDA5-42f1-A8FA-E3A8F6B034D7}.exe	39
PID 2144 wrote to memory of 1916	2144	{7836ACA0-CDA5-42f1-A8FA-E3A8F6B034D7}.exe	39
PID 2144 wrote to memory of 1916	2144	{7836ACA0-CDA5-42f1-A8FA-E3A8F6B034D7}.exe	39
PID 2144 wrote to memory of 2568	2144	{7836ACA0-CDA5-42f1-A8FA-E3A8F6B034D7}.exe	40
PID 2144 wrote to memory of 2568	2144	{7836ACA0-CDA5-42f1-A8FA-E3A8F6B034D7}.exe	40
PID 2144 wrote to memory of 2568	2144	{7836ACA0-CDA5-42f1-A8FA-E3A8F6B034D7}.exe	40
PID 2144 wrote to memory of 2568	2144	{7836ACA0-CDA5-42f1-A8FA-E3A8F6B034D7}.exe	40
PID 1916 wrote to memory of 1896	1916	{1615241C-9529-4745-A5A3-9949C96F036D}.exe	41
PID 1916 wrote to memory of 1896	1916	{1615241C-9529-4745-A5A3-9949C96F036D}.exe	41
PID 1916 wrote to memory of 1896	1916	{1615241C-9529-4745-A5A3-9949C96F036D}.exe	41
PID 1916 wrote to memory of 1896	1916	{1615241C-9529-4745-A5A3-9949C96F036D}.exe	41
PID 1916 wrote to memory of 2000	1916	{1615241C-9529-4745-A5A3-9949C96F036D}.exe	42
PID 1916 wrote to memory of 2000	1916	{1615241C-9529-4745-A5A3-9949C96F036D}.exe	42
PID 1916 wrote to memory of 2000	1916	{1615241C-9529-4745-A5A3-9949C96F036D}.exe	42
PID 1916 wrote to memory of 2000	1916	{1615241C-9529-4745-A5A3-9949C96F036D}.exe	42
PID 1896 wrote to memory of 2428	1896	{C578459C-69D4-4c3b-A92C-C0B41A81BA2B}.exe	43
PID 1896 wrote to memory of 2428	1896	{C578459C-69D4-4c3b-A92C-C0B41A81BA2B}.exe	43
PID 1896 wrote to memory of 2428	1896	{C578459C-69D4-4c3b-A92C-C0B41A81BA2B}.exe	43
PID 1896 wrote to memory of 2428	1896	{C578459C-69D4-4c3b-A92C-C0B41A81BA2B}.exe	43
PID 1896 wrote to memory of 2440	1896	{C578459C-69D4-4c3b-A92C-C0B41A81BA2B}.exe	44
PID 1896 wrote to memory of 2440	1896	{C578459C-69D4-4c3b-A92C-C0B41A81BA2B}.exe	44
PID 1896 wrote to memory of 2440	1896	{C578459C-69D4-4c3b-A92C-C0B41A81BA2B}.exe	44
PID 1896 wrote to memory of 2440	1896	{C578459C-69D4-4c3b-A92C-C0B41A81BA2B}.exe	44
PID 2428 wrote to memory of 1960	2428	{2FA38BD1-53BC-4a89-9282-A36B0B697A7E}.exe	45
PID 2428 wrote to memory of 1960	2428	{2FA38BD1-53BC-4a89-9282-A36B0B697A7E}.exe	45
PID 2428 wrote to memory of 1960	2428	{2FA38BD1-53BC-4a89-9282-A36B0B697A7E}.exe	45
PID 2428 wrote to memory of 1960	2428	{2FA38BD1-53BC-4a89-9282-A36B0B697A7E}.exe	45
PID 2428 wrote to memory of 1876	2428	{2FA38BD1-53BC-4a89-9282-A36B0B697A7E}.exe	46
PID 2428 wrote to memory of 1876	2428	{2FA38BD1-53BC-4a89-9282-A36B0B697A7E}.exe	46
PID 2428 wrote to memory of 1876	2428	{2FA38BD1-53BC-4a89-9282-A36B0B697A7E}.exe	46
PID 2428 wrote to memory of 1876	2428	{2FA38BD1-53BC-4a89-9282-A36B0B697A7E}.exe	46

C:\Users\Admin\AppData\Local\Temp\2024-06-16_a73f9620b650cad8be84fea4b2ce1565_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-16_a73f9620b650cad8be84fea4b2ce1565_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2096
- C:\Windows\{3B84C5A0-A3B6-4f96-956E-CFB7227CCBDC}.exe
  C:\Windows\{3B84C5A0-A3B6-4f96-956E-CFB7227CCBDC}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2856
- - C:\Windows\{84E81E8F-5CDF-4d23-9DC1-B734C9CDE2AB}.exe
    C:\Windows\{84E81E8F-5CDF-4d23-9DC1-B734C9CDE2AB}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2116
  - - C:\Windows\{8AEAD561-1864-4992-A7DB-93061214BB30}.exe
      C:\Windows\{8AEAD561-1864-4992-A7DB-93061214BB30}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2776
    - - C:\Windows\{7836ACA0-CDA5-42f1-A8FA-E3A8F6B034D7}.exe
        
        C:\Windows\{7836ACA0-CDA5-42f1-A8FA-E3A8F6B034D7}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2144
      - C:\Windows\{1615241C-9529-4745-A5A3-9949C96F036D}.exe
        
        C:\Windows\{1615241C-9529-4745-A5A3-9949C96F036D}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1916
        
        C:\Windows\{C578459C-69D4-4c3b-A92C-C0B41A81BA2B}.exe
        
        C:\Windows\{C578459C-69D4-4c3b-A92C-C0B41A81BA2B}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1896
        
        C:\Windows\{2FA38BD1-53BC-4a89-9282-A36B0B697A7E}.exe
        
        C:\Windows\{2FA38BD1-53BC-4a89-9282-A36B0B697A7E}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2428
        
        C:\Windows\{33A5FF9B-0F0D-43ac-9DED-39A9C14368CD}.exe
        
        C:\Windows\{33A5FF9B-0F0D-43ac-9DED-39A9C14368CD}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1960
        
        C:\Windows\{557BA13D-9E08-426a-B064-86D3DC6F7EEE}.exe
        
        C:\Windows\{557BA13D-9E08-426a-B064-86D3DC6F7EEE}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2932
        
        C:\Windows\{27E8B1BA-071A-41b6-A9B8-2402DA9E3E58}.exe
        
        C:\Windows\{27E8B1BA-071A-41b6-A9B8-2402DA9E3E58}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2492
        
        C:\Windows\{AE35A883-BEE6-40d4-94CE-A5AEE35AAC12}.exe
        
        C:\Windows\{AE35A883-BEE6-40d4-94CE-A5AEE35AAC12}.exe
        12⤵
        Executes dropped EXE
        
        PID:692
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{27E8B~1.EXE > nul
        12⤵
        
        PID:580
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{557BA~1.EXE > nul
        11⤵
        
        PID:2452
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{33A5F~1.EXE > nul
        10⤵
        
        PID:2380
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{2FA38~1.EXE > nul
        9⤵
        
        PID:1876
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{C5784~1.EXE > nul
        8⤵
        
        PID:2440
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{16152~1.EXE > nul
        7⤵
        
        PID:2000
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{7836A~1.EXE > nul
        6⤵
        
        PID:2568
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{8AEAD~1.EXE > nul
        5⤵
        
        PID:2224
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{84E81~1.EXE > nul
      4⤵
      PID:2852
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{3B84C~1.EXE > nul
    3⤵
    PID:2608
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  - Deletes itself
  PID:2948

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{1615241C-9529-4745-A5A3-9949C96F036D}.exe

Filesize
168KB

MD5
7c4435cbf5815cd353ba940c6fe93676

SHA1
352ca2e8e280f304f202175386bf19c974a2ac99

SHA256
13512badb197ab5c12e4a2b09a1540f542df81943f257ab4f9580c1f3b13d7ed

SHA512
e59fa50f02fc7633e9633aad25e60aa7075f5cb127d8dcba071e122108f4184fad3fe922fad93b2e5bac245f17eeb0d801d20c53df82b7af4abbe3e2e871ef37

Download Submit
C:\Windows\{27E8B1BA-071A-41b6-A9B8-2402DA9E3E58}.exe

Filesize
168KB

MD5
7c07363986c6475b0c513c35e45bd257

SHA1
cb5f9951510ac0acf09f08f2684875d4dfc35fa3

SHA256
483f8d701da6c66c67efa97c5c87d1ff0266c94bb1e4badb21a7315b5dffd541

SHA512
eb025f0c69b40ed377baad08788d8bfca584ec6bab7075ab84a1565c08a130aebcd8caf1d0f21aabdc1c4f5eafc6265f1042df31db37a1ee946632bdf6e04af3

Download Submit
C:\Windows\{2FA38BD1-53BC-4a89-9282-A36B0B697A7E}.exe

Filesize
168KB

MD5
954465c415b66f3e388ef7d5166dcad9

SHA1
fe3b0ece19244e42a8ac4b754de1ea2de0978be8

SHA256
00ce9cb95339f1507378d4a5f59e214953c5c8ca9a41fe7bf1f371a01faaac7e

SHA512
9aacd35500e0e3e3ec27e0aaaa564e49f087dd013dafd2651ebc54dd924713bbf54f93e7072b18f0f580fa2e8a3ebf0a0fbfbc07de55ec131ceefb44fbc9995a

Download Submit
C:\Windows\{33A5FF9B-0F0D-43ac-9DED-39A9C14368CD}.exe

Filesize
168KB

MD5
ef5b15eab9db8973946b6e76b3b1af63

SHA1
9d5827b6219e2101f06d1b050852e07406558dc2

SHA256
c3aaa6437a90023a63cefb945e7c4d4370dd6fcf3c8cb06e28d3bbbae00e760f

SHA512
659d070db8d46cde0e93826bc98e553d0ae49509de52bbd78508ccb62895f9b6b11573b9b8f4ea78eddac52bfa07da8c10a5ac96a418b2f95f6b8f2898850007

Download Submit
C:\Windows\{3B84C5A0-A3B6-4f96-956E-CFB7227CCBDC}.exe

Filesize
168KB

MD5
c8ca1925f18027e25c20e267fbf6536a

SHA1
601dad647b2af34c5e4c335adf28a828d3aea297

SHA256
b787034a006e7a20ce8ff6e770e212ddc932cd2b699de41f402d778e90605718

SHA512
596b4aba773cde8b50cf6cc673a70e80d43cc212c006b22b502ccff26d0c62b3da3fe9a36ad2ff2cfff42f081c7b0fc32ebc4d1ad83c579b869c3b10ef6a6be2

Download Submit
C:\Windows\{557BA13D-9E08-426a-B064-86D3DC6F7EEE}.exe

Filesize
168KB

MD5
c505dd365a17b3e7a029fc28346c3f4b

SHA1
1895ad01068040f5ac6987cb513f0fef84cd7e03

SHA256
1dc109a9440b6ef592cd282603c826e5acd376ac723b6b8b665aa3a544546526

SHA512
addde55608613903f83bd729b39e18263f9add931d7c1fe625d599a9fa68ddeb8d9cb0f37138cc0355e27dd65f8ce7986c8a9781f756ca778edc9c595bd77f28

Download Submit
C:\Windows\{7836ACA0-CDA5-42f1-A8FA-E3A8F6B034D7}.exe

Filesize
168KB

MD5
d057c020bd161544a7c0054a788d4f26

SHA1
2b58c4ed283c7e6019b0951d3e651925b21a090e

SHA256
ec39fb19e72b7d7744ab1f99202e7e02ee0feb08a80eb1211d7f17af2a8deb57

SHA512
38748d72f4e5e808de500eac10b9a85fad8efdcfa3ccccca76269139ef9eddc1b97b1c0feb84169fb17c6d450ca6f9958cdd18aa6bf1de27b3b33add9fc29d63

Download Submit
C:\Windows\{84E81E8F-5CDF-4d23-9DC1-B734C9CDE2AB}.exe

Filesize
168KB

MD5
2bd9fd333db0dc2849628fceec0d28a7

SHA1
e321d69b95fe87dd17a1538e562bbcff2c5bf44d

SHA256
ff0355b6a8237547c253400671537406dd12c53c57cabbac66bfdcbaee3c0517

SHA512
4daa927bb1149683c4ed61b684a04cd28504ab2231ef24f3811c0cce5ee6e1425e1f6b994b202c2a7482251bc198e68f05961656fa1df7a06cd2574765d3c3d5

Download Submit
C:\Windows\{8AEAD561-1864-4992-A7DB-93061214BB30}.exe

Filesize
168KB

MD5
d848e0a7599b00aa9a870928282fcbc4

SHA1
e29586291c9bdb2648bf65de0a4443ef09bb829c

SHA256
6f9823513e359a225d0890ec4eccdb934cf7e01d1cb3ea28af81cb735cb16405

SHA512
f96a5d91e6a61c069bdbbf4ee9e6c4ccf57ad3cad8f02515ce8f08c6a0b76dace9412b6785a155164afd789f8d3460078323a0aff78bf534e4b9c83b81385a4b

Download Submit
C:\Windows\{AE35A883-BEE6-40d4-94CE-A5AEE35AAC12}.exe

Filesize
168KB

MD5
afb789a1cbf175b5c6ec6c5d1620211f

SHA1
0e58534af3a9cf53d72f326a743017bf3e74d429

SHA256
2b59d8cde77250f3b581134d92d8bcb965969c3a37f51c60bd9b5fcf8219f160

SHA512
06dc62fa7c98b9dc49fa5802161462c85d6d6d647b25152ff0b6f1795c38860ea309564b9824be149b0765decead6197b3693fd9416d56a4f09b7ffa596311ea

Download Submit
C:\Windows\{C578459C-69D4-4c3b-A92C-C0B41A81BA2B}.exe

Filesize
168KB

MD5
498409d75f3f7254fff34bb5368fd293

SHA1
3205a037d711a0ad6bc070a09d2e6f7f1d7d9042

SHA256
790974e511763d29937bfde2e85cd731a5cf3ddd8644e83bf8929e9b0b782b43

SHA512
312dc4008a6cbb3f0650fbc518dafbeefe46cca6f02a5c80dbbc801158d316dfceccc2e9fd8266f98831f00476b346db5e11bf9cc031fd91847a79df0021ef33

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads